<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hello Remi :)<br><br></div>Thank you for your fast reply and time. So I checked your site with:<br>-------<br>newServer({address="192.168.1.2", name="master", pool={"master", "otherpool"}})<br>addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), PoolAction("master"))<br><br>addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>"))}), RCodeAction(dnsdist.REFUSED))<br><br>addAction(AndRule({OpcodeRule(DNSOpcode.Notify), NotRule(makeRule("<a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a>"))}), RCodeAction(dnsdist.REFUSED))<br>-------<br><br></div><div>So in my case, which of above should go to Server 1 (Master) and which to Server 2 (Slave)?<br><br></div><div>If my Server 1 (Master) is 193.91.200.10, should I add to Server 1 dnsdist.conf:<br>-------<br>newServer({address="193.91.200.10", name="master", pool={"master", "otherpool"}})<br>addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR), QTypeRule(dnsdist.IXFR)}), PoolAction("master"))</div><div>------<br><br>Should I add below to my Server 2 (Slave) with <a href="http://193.91.200.20" target="_blank">193.91.200.20</a>:<br>-------<br>addAction(AndRule({OrRule({QTypeRule(dnsdist.AXFR), 
QTypeRule(dnsdist.IXFR)}), NotRule(makeRule("<a href="http://193.91.200.20/32" target="_blank">193.91.200.20/32</a>"))}), 
RCodeAction(dnsdist.REFUSED))<br>-------<br><br></div><div>May you be so kind and look in to my case and help me to figure it out? I am smiling to you with very wide open eyes :)<br></div><div dir="ltr"><br></div><div>Best regards.<div class="gmail-yj6qo gmail-ajU"><div id="gmail-:3b" class="gmail-ajR" tabindex="0"><img class="gmail-ajT" src="https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif"></div></div><span class="gmail-HOEnZb gmail-adL"><font color="#888888"></font></span></div><span class="gmail-HOEnZb gmail-adL"><font color="#888888"><div>AR</div></font></span></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">czw., 4 kwi 2019 o 12:11 Remi Gacogne <<a href="mailto:remi.gacogne@powerdns.com">remi.gacogne@powerdns.com</a>> napisał(a):<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Angelika,<br>
<br>
I would suggest you read [1] first, it explains the issue you are having<br>
and some of the options to fix it.<br>
<br>
[1]: <a href="https://dnsdist.org/advanced/axfr.html" rel="noreferrer" target="_blank">https://dnsdist.org/advanced/axfr.html</a><br>
<br>
Best regards,<br>
<br>
Remi<br>
<br>
On 4/3/19 11:40 PM, angelika rossos wrote:<br>
> Hello!<br>
> <br>
> I use CentOS latest version. I have two servers (below are not real used<br>
> public IP, I don't want to share real ones):<br>
> <br>
> Server 1 - public IP for example 193.91.200.10 - master<br>
> Server 2 - public IP for example 193.91.200.20 - slave<br>
> <br>
> I have installed dnsdist, pdns and pdns-recursor latest versions. Below<br>
> are my configs for dnsdist, pdns and pdns-recursor for both servers.<br>
> <br>
> Server 1: dnsdist.conf<br>
> -------<br>
> setLocal('<a href="http://193.91.200.10:53" rel="noreferrer" target="_blank">193.91.200.10:53</a> <<a href="http://193.91.200.10:53" rel="noreferrer" target="_blank">http://193.91.200.10:53</a>>')<br>
> setACL({'<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>', '::/0'})<br>
> <br>
> newServer({address='<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">127.0.0.1:5300</a> <<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">http://127.0.0.1:5300</a>>', pool='auth'})<br>
> newServer({address='<a href="http://127.0.0.1:5301" rel="noreferrer" target="_blank">127.0.0.1:5301</a> <<a href="http://127.0.0.1:5301" rel="noreferrer" target="_blank">http://127.0.0.1:5301</a>>',<br>
> pool='recursor'})<br>
> <br>
> recursive_ips = newNMG()<br>
> recursive_ips:addMask('<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>>')<br>
> <br>
> addAction(OrRule({QTypeRule(dnsdist.SOA), QTypeRule(dnsdist.AXFR),<br>
> QTypeRule(dnsdist.IXFR)}), PoolAction("auth"))<br>
> <br>
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))<br>
> addAction(AllRule(), PoolAction('auth'))<br>
> -------<br>
> <br>
> Server 1: pdns.conf<br>
> -------<br>
> allow-axfr-ips=<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a><br>
> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>,<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>><br>
> daemon=no<br>
> disable-axfr=no<br>
> disable-tcp=no<br>
> guardian=no<br>
> launch=bind<br>
> bind-config=/etc/pdns/named.conf<br>
> bind-check-interval=300<br>
> local-address=127.0.0.1<br>
> local-port=5300<br>
> master=yes<br>
> setgid=pdns<br>
> setuid=pdns<br>
> -------<br>
> <br>
> Server 1: recursor.conf<br>
> -------<br>
> allow-from=<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>>, <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a><br>
> <<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a>>, <a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>,<br>
> <a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>><br>
> dont-query=<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>>, <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> <<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a>><br>
> forward-zones=<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>=<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">127.0.0.1:5300</a> <<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">http://127.0.0.1:5300</a>><br>
> local-address=127.0.0.1<br>
> local-port=5301<br>
> setgid=pdns-recursor<br>
> setuid=pdns-recursor<br>
> -------<br>
> <br>
> Server 1: named.conf<br>
> -------<br>
> options {<br>
>         directory "/var/named";<br>
>         listen-on { <a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">127.0.0.1:5300</a> <<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">http://127.0.0.1:5300</a>>; };<br>
>         allow-transfer { <a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>;<br>
> <a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>>; };<br>
> };<br>
> <br>
> zone "<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>" {<br>
>         type master;<br>
>         file "<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>";<br>
> };<br>
> -------<br>
> <br>
> Server 2: dnsdist.conf<br>
> -------<br>
> setLocal('<a href="http://193.91.200.20:53" rel="noreferrer" target="_blank">193.91.200.20:53</a> <<a href="http://193.91.200.20:53" rel="noreferrer" target="_blank">http://193.91.200.20:53</a>>')<br>
> setACL({'<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">0.0.0.0/0</a> <<a href="http://0.0.0.0/0" rel="noreferrer" target="_blank">http://0.0.0.0/0</a>>', '::/0'})<br>
> <br>
> newServer({address='<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">127.0.0.1:5300</a> <<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">http://127.0.0.1:5300</a>>', pool='auth'})<br>
> newServer({address='<a href="http://127.0.0.1:5301" rel="noreferrer" target="_blank">127.0.0.1:5301</a> <<a href="http://127.0.0.1:5301" rel="noreferrer" target="_blank">http://127.0.0.1:5301</a>>',<br>
> pool='recursor'})<br>
> <br>
> recursive_ips = newNMG()<br>
> recursive_ips:addMask('<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>')<br>
> <br>
> addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursor'))<br>
> addAction(AllRule(), PoolAction('auth'))<br>
> -------<br>
> <br>
> Server 2: pdns.conf<br>
> -------<br>
> allow-axfr-ips=<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a><br>
> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>,<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>><br>
> daemon=no<br>
> disable-axfr=no<br>
> disable-tcp=no<br>
> guardian=no<br>
> launch=bind<br>
> bind-config=/etc/pdns/named.conf<br>
> bind-check-interval=300<br>
> local-address=127.0.0.1<br>
> local-port=5300<br>
> setgid=pdns<br>
> setuid=pdns<br>
> slave=yes<br>
> -------<br>
> <br>
> Server 2: recursor.conf<br>
> -------<br>
> allow-from=<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>>, <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a><br>
> <<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a>>, <a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>,<br>
> <a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>><br>
> dont-query=<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">127.0.0.0/8</a> <<a href="http://127.0.0.0/8" rel="noreferrer" target="_blank">http://127.0.0.0/8</a>>, <a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">10.0.0.0/8</a> <<a href="http://10.0.0.0/8" rel="noreferrer" target="_blank">http://10.0.0.0/8</a>><br>
> forward-zones=<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>=<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">127.0.0.1:5300</a> <<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">http://127.0.0.1:5300</a>><br>
> local-address=127.0.0.1<br>
> local-port=5301<br>
> setgid=pdns-recursor<br>
> setuid=pdns-recursor<br>
> -------<br>
> <br>
> Server 2: named.conf<br>
> -------<br>
> options {<br>
>         directory "/var/named";<br>
>         listen-on { <a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">127.0.0.1:5300</a> <<a href="http://127.0.0.1:5300" rel="noreferrer" target="_blank">http://127.0.0.1:5300</a>>; };<br>
>         allow-transfer { <a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>;<br>
> <a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>>; };<br>
> };<br>
> <br>
> zone "<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>" {<br>
>         type slave;<br>
>         file "<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>";<br>
>         masters { 193.91.200.10; };<br>
> };<br>
> -------<br>
> <br>
> When I start services for dnsdist, pdns, pdns-recursor everything is<br>
> working great instead AXFR zone transfer from master to slave. I have<br>
> got such error information:<br>
> <br>
> Server 2:<br>
> pdns_server[12447]: AXFR of domain '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' initiated by 127.0.0.1<br>
> pdns_server[12447]: AXFR of domain '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' denied: client IP 127.0.0.1 has no permission<br>
> pdns_server[12447]: AXFR of domain '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' failed: 127.0.0.1 cannot request AXFR<br>
> <br>
> When I add to:<br>
> Server 1: pdns.conf<br>
> -------<br>
> allow-axfr-ips=<a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">127.0.0.1/32</a> <<a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">http://127.0.0.1/32</a>>,<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a><br>
> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>,<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>><br>
> -------<br>
> <br>
> AXFR transfer is completed:<br>
> pdns_server[12784]: Domain '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' is stale, master serial 2019040302, our<br>
> serial 2019040301<br>
> pdns_server[12784]: Initiating transfer of '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' from remote '193.91.200.10'<br>
> pdns_server[12784]: Starting AXFR of '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' from remote <a href="http://193.91.200.10:53" rel="noreferrer" target="_blank">193.91.200.10:53</a><br>
> <<a href="http://193.91.200.10:53" rel="noreferrer" target="_blank">http://193.91.200.10:53</a>><br>
> pdns_server[12784]: AXFR started for '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>'<br>
> pdns_server[12784]: AXFR of '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' from remote <a href="http://193.91.200.10:53" rel="noreferrer" target="_blank">193.91.200.10:53</a><br>
> <<a href="http://193.91.200.10:53" rel="noreferrer" target="_blank">http://193.91.200.10:53</a>> done<br>
> pdns_server[12784]: Backend transaction started for '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' storage<br>
> pdns_server[12784]: Zone '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>' (/var/named/<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>) reloaded<br>
> pdns_server[12784]: AXFR done for '<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a><br>
> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>>', zone committed with serial number 2019040302<br>
> pdns_server[12784]: Done launching threads, ready to distribute questions<br>
> <br>
> But I have got information, when I test DNS on<br>
> website <a href="https://mxtoolbox.com" rel="noreferrer" target="_blank">https://mxtoolbox.com</a>:<br>
> "dns <a href="http://angelikarossos.com" rel="noreferrer" target="_blank">angelikarossos.com</a> <<a href="http://angelikarossos.com" rel="noreferrer" target="_blank">http://angelikarossos.com</a>> Open Zone Transfer<br>
> Detected"<br>
> So this "Open Zone Transfer" is related with <a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">127.0.0.1/32</a><br>
> <<a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">http://127.0.0.1/32</a>> in pdns.conf with line allow-axfr-ips=<a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">127.0.0.1/32</a><br>
> <<a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">http://127.0.0.1/32</a>>,<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">193.91.200.10/32</a><br>
> <<a href="http://193.91.200.10/32" rel="noreferrer" target="_blank">http://193.91.200.10/32</a>>,<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">193.91.200.20/32</a> <<a href="http://193.91.200.20/32" rel="noreferrer" target="_blank">http://193.91.200.20/32</a>><br>
> <br>
> My question is, how I am suppose to resolve this problem, when I have<br>
> dnsdist with public IPs and pdns and pdns-recursor on local IPs on both<br>
> servers?<br>
> <br>
> I would be glad for your help and support.<br>
> <br>
> Thank you in advance for your time and effort.<br>
> <br>
> Best regards.<br>
> <br>
> AR<br>
> <br>
> _______________________________________________<br>
> dnsdist mailing list<br>
> <a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
> <a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
> <br>
<br>
<br>
-- <br>
Remi Gacogne<br>
PowerDNS.COM BV - <a href="https://www.powerdns.com/" rel="noreferrer" target="_blank">https://www.powerdns.com/</a><br>
<br>
_______________________________________________<br>
dnsdist mailing list<br>
<a href="mailto:dnsdist@mailman.powerdns.com" target="_blank">dnsdist@mailman.powerdns.com</a><br>
<a href="https://mailman.powerdns.com/mailman/listinfo/dnsdist" rel="noreferrer" target="_blank">https://mailman.powerdns.com/mailman/listinfo/dnsdist</a><br>
</blockquote></div></div>